In this blog post I’m going to show you how you can secure your Netscaler Gateway or VMware Authentication Server with SMSPassword 2-factor authentication in 5 minutes!
The moment you open your firewall for remote access you’re putting your lab or production environment into the danger zone. If you’re a blogger like me, it’s very likely that you have IP and/or account information somewhere in your blog posts that makes it very easy for hackers to attack.
I have to admit that I’ve not been to worried about my home lab before, but now that my entire xenapptraining.com business is running on Office 365 with Active Directory Federation Services, I’m forced to be more careful. The only way to accomplish that is by using 2-factor authentication.
Luckily there’s a cheap solution to my problems, and it’s even FREE for two users. Meet Citrix Ready SMSPassword.
First download your trail here.
The software doesn’t rely on Microsoft Radius, so there’s no need to configure Network Policy Server. Therefore, it’s perfect to install it on your Citrix StoreFront Server(s). All settings is saved in the smspassword.cfg file.
Start SMSPasswordConfig.exe as Administrator and begin the configuration.
For Radius you’ll use the IP address of your Netscaler NSIP. Use a password generator to create a complex shared secret key.
By default SMSPassword will query the default AD Group SMSPassword for active users.
I went with BulkSMS as SMS dispatcher and bought a batch of 300 credits for only $11.50.
You can specify the password length and if you want a mix of characters and numbers. I wanted just number so I deleted the characters.
When you’re happy with the Configuration, select the Service Control tab and install the service. From there you have direct access to the event logs.
BulkSMS also have a nice interface where you can check your message history.
SMSPassword Netscaler Gateway Configuration
Log into your Netscaler and navigate to System – Authentication – Radius and Add a new Policy with the expression ns_true.
In the Server Policy you set the IP Address of the server running the SMSPassword service and time-out to 100 with Accounting Off.
The Radius service will authentication the user with Active Directory, so you don’t need the LDAP policy anymore, just replace it with Radius.
Log in with username and password.
Straight after you’ll get your One-Time Password.
To add an extra layer of security I’ve configured a Session Recording Policy for the SMSPassword AD Group. Learn more in the post The Complete Guide to Citrix Session Recording.
So whenever I have external consultants accessing my system, their session will be recorded and it’s actually a good thing because I can replay the video and learn from their troubleshooting techniques.
That’s it! While you’re at it, you should Make your NetScaler SSL VIPs More Secure. Great post by fellow CTP Anton van Pelt.